Java Reference
In-Depth Information
} catch (DOMException dome) {
out.println(dome);
throw new IOException("Cannot create DOM tree", dome);
} catch (ParserConfigurationException pce) {
out.println(pce);
throw new IOException("Cannot create parser.", pce);
} catch (SAXException saxe) {
out.println(saxe);
throw new IOException("Error parsing XML document.", saxe);
}
}
}
Most of the time, this is the sort of thing you'll need to do in SOA. But this is very powerful
stuff because you can build the expression string from user-supplied values or another runtime
environment supplier, such as a system property.
INJECTION ATTACK IN XPATH EXPRESSIONS
Use extreme caution in allowing users to directly populate your XPath expressions. XPath expres-
sions, like SQL statements, are very vulnerable to injection attacks. An injection attack can upset your
database (whether a SQL-based database or an XML document database) by doing direct damage to
the structure, or by revealing far more nodes than you originally intended to return.
The most basic form of injection attack inserts an expression that will always be true into the main
expression. For example, say your XPath expression string allowed users to supply a value, as you
may have done before with a JDBC statement:
"//book[price <" + uservalue + "]/title"
This appears harmless enough. The user could supply “6” to get the titles of all books less than $6.
However, this is a bad idea, as it leaves you vulnerable to injection. Imagine that your user-supplied
value is
or 1 = 1
.
All of the topic are returned. Now, in your book title example that probably isn't a big deal. When
dealing with financial data, user credentials, or other sensitive information, however, this can be dev-
astating.
The fix is to simply validate incoming values carefully. For instance, in the previous example, a
Num-
berFormatException
would have been thrown if you had invoked
Double.parseDouble
on
the user-supplied value.
XPath is not only useful for SOAP message data extraction and BPEL assignments, but it is
also the foundation of working with a variety of other XML specifications, including XPoint-
er, XQuery, and XSLT.
